How To Become Part Of An IoT Botnet

We should all be familiar with the so-called Internet Of Things, a proliferation of Internet-connected embedded electronics. The opportunities offered to hardware hackers by these technologies have been immense, but we should also be aware of some of the security issues surrounding them.

Recently, the website of the well-known security researcher [Brian Krebs] suffered a DDoS attack. What made this attack different from previous ones wasn’t its severity, but that it had been directed not from botnets of malware-laced Windows PCs but from compromised IoT devices.

One might ask how it could be possible to take control of such low-end embedded hardware, seeing as it would normally be safely behind a firewall, preloaded with its own firmware, and without a clueless human at its terminal to open malware-laden email attachments. The answer is quite shocking but not entirely surprising, and lies in some astonishingly poor security on the part of the devices themselves. An exposé of one such mechanism comes courtesy of [Brian Butterly], who took an unremarkable IP webcam and documented its security flaws.

The camera he examined exposes two services, a web interface and a Telnet port. While from a security perspective their lack of encryption is a concern this should not pose a significant danger when the device is safely on a private network and behind a suitable firewall. The problem comes from its ability to send its pictures over the Internet, for the owner to be able to check their camera from their phone some kind of outside access is required. Expensive cameras use a cloud-based web service for this task, but the cheap ones like the camera being examined simply open a port to the outside world.

If you are familiar with basic firewall set-up, you’ll be used to the idea that open ports are something that should be under control of the firewall owner; if a port has not been specifically opened then it should remain closed. How then can the camera open a port? The answer lies with UPnP, a protocol enabled by default on most home routers that allows a device to request an open port. In simple terms, the camera has an inherently insecure service which it asks the router to expose to the world, and in many cases the router meekly complies without its owner being any the wiser. We suspect that many of you who have not done so already will now be taking a look at your home router to curtail its UPnP activities.

We covered the [Brian Krebs] DDoS story  as it unfolded last week, but we’re sure this is likely to be only the first of many stories in this vein. As manufacturers of appliances struggle to learn that they are no longer in the dumb appliance business they need to start taking their software security very seriously indeed.

Webcam image: Asim18 (Own work) [CC BY-SA 3.0], via Wikimedia Commons.

28 thoughts on “How To Become Part Of An IoT Botnet

    1. Because it’s friggin’ important.

      Because we, as engineers bear some responsibility for it (“get the damn thing out the door already” — remember that?).

      Because we, as a loose community of Internetizens and consumers should get our act together *before* some populist lawmakers start smelling their chance and start babbling (again!) about tarrists and hackers and how knowledge and access have to be tightly controlled for all of us to be safe.

      Better two wake-up calls than none, I’d say :-)

      1. While I don’t work in consumer software I do see the “get it out the door” mentality a lot (though not often on my team thankfully!)

        One particular manager, who has since left the company, was famed for his catchphrase “just knock it out”. Apparently he’d go to the pub with a senior dev after work and they’d cook up some new feature over a couple of pints. Then it was back to the office and hack together a POC and go home.

        Next day they would come back into the office and instruct the dev team that they want it in production in 2 or 3 days, if anyone questioned how they’d get 2 weeks work done in 3 days they’d be met with “just knock it out”. Invariably something would be released, then they’d spend a month trying to fix the thing until the next big idea came along.

      2. Aren’t they already? senators feinstein and cornyn are still trying to give the fbi access to our every online activity, the supreme court altered a part of rule 41 to allow the fbi to hack into any computer that’s using privacy programs like https and TOR, part of a botnet and with a warrant from any judge. congress are until December 1st to reject but they are..
        1. not in session until after the election and only for a few weeks which they will be using to pass bad bills.
        2. dumbasses
        3. ok with the peasants (us) getting hacked

    2. Because this article is not about the [Krebs] story, that only forms the backdrop. This is a write-up of an examination of a specific device’s security vulns. Click the link, it’s really interesting to read.

  1. “Expensive cameras use a cloud-based web service for this task, but the cheap ones like the camera being examined simply open a port to the outside world.”

    This is a strange statement for a technical blog. Surely this is not really about the cost of the hardware and enforces the fallacy of ‘more expensive is better’. More than likely, cameras with cloud based web services are less susceptible to cameras which directly host themselves by punching a hole in a firewall, despite the cost.

    This is a good topic to cover though. Readers of Hackaday are more likely to take action and inform others, than those of standard news sites.

    1. thing is with a telnet port and a simple web interface there is a good chance that anything cloud connected has similar vulnerabilities to this, the cloud connected device still has to reach in and out of the firewall.

      1. I fully agree. On top of that, the cloud storage opens up a few other possible attack vectors, and can be an extra layer of security that could just as easily be seen as another layer of new insecurities.
        And it opens a few completely different questions for the end user. How well is the cloud secured? How much data (and what) is stored in the cloud? Does the owner of the cloud use your data to generate other revenues?
        I’m more of a hardware-techie but i would guess you would have to route your camera-traffic thru an encrypted VPN-tunnel directly from the camera to the end-device to have the best possible security. But what does that do for you, if your end-device (smartphone, tablet,…) is compromised and can update the camera with malware hidden in a firmware-update?

      2. We’re in no way saying “The cloud based ones are secure”. On the contrary, a whole slew of different security issues come from that source, not to mention privacy issues.

        The only thing you can say for the cloud based cameras etc. is that they shouldn’t have to open a port to the world at large and accept incoming connections from all comers.

      3. With a cloud thing, you can at least only allow the camera (etc) to connect to a certain named host, at a certain port. It can stealth until sent a certain activating packet. You can use passwords and encryption, unique ones with a sticker on the bottom of a product, and force the user to provide a new password before it starts working. Give the user a blank sticker to write the password on. I know that’s naughty, but it will save way more trouble than it’ll cause.

        The problem is that manufacturers aren’t even giving the slightest fuck about security. They just get something that mostly works and ship it. Stick Busybox on it, whichever old Linux kernel will fit in the flash, and a standard camera connector. Made down to a price and squeezing every penny, so research and proper implementation is money wasted. The consumer, dumbass as ever, will blame it all on “hackers” rather than the shoddy piece of shit he’s been sold. Something Internet connected, without some proper security, isn’t fit for purpose. Not of merchantable quality.

        People should be allowed to sue the company who sold them it. Since there’s bugger all chance of finding the company in China who are responsible. Somebody needs to be made to care. Consumers don’t have the brains to take responsibility for buying wisely.

        Fortunately, if your device offers just a simple IP connection, there’s stuff you can do on your firewall to limit who can connect to it. What with firewalls being so configurable nowadays (while it lasts) there could be some quite sophisticated solutions.

        As for the devices themselves, perhaps someone should write security software for embedded, that the Chinese can implement without having to fully understand. Same idea as Busybox. It does everything, and they just add it to the build script they use for the system image. Have a configurator, or indeed add security to existing ones. I dunno what Chinese companies do to build their system software but I imagine it’s something fairly straightforward and basic (which is why they end up in this trouble). From one SOC to another, security software shouldn’t be so different.

        Alongside that, what about a firewall config program “for dummies”? A user enters what hardware their network has, and it generates all the necessary settings. Connects to their router, understands the config methods of popular routers, gets the passwd from the user, and sets it up just right for their needs. Rather than a faulty default.

        It could have a pre-setup phase, for the user to gather the necessary information. They can build up their information as they go, over a few days, then when the setup’s done, press “GO!”. And of course, if it goes wrong, “UNDO!” to put it back again.

        I think there’s stuff to be done, and the answer is in getting better tools into the right hands. Users and manufacturers.

  2. As soon as I see the word ‘cloud’, I see ‘breach of privacy’ and move on.
    I have a good number of PoE cameras under my control for work (in addition to those I set up for myself), and all are locked down hard.

    I was surprised at the number of default settings allowing outside access, which even a basic default password would fix.

    Makes me wonder just how many easily acessible devices there are out there…..

  3. It has been reported before that many cheap DVR machines and IP cameras do actually phone home to some obscure servers in the Far East, hopefully just to offer cloud and dynamic DNS services etc, but being them 100% closed source (although most of them run Linux), a security check isn’t that easy. This *does not* require open ports on the router but a filter to limit the traffic to outside can be effective to stop them for example creating a dormant VPN to somewhere.

  4. “Expensive cameras use a cloud-based web service for this task, but the cheap ones like the camera being examined simply open a port to the outside world.”

    Wow. I can’t even begin to describe how much I hate that sentiment.

    When I was first exposed to the internet I thought the potential of having a network that anyone can plug any device into to communicate with another anywhere was far more impressive then just what we can see in a web browser. No doubt had the internet remained a university and military toy we still would have had today’s social networking on AOL or one of those other comercial services.

    When I first was introduced to Linux… OMG I can access my computer remotely… for free? Windows required expensive third party software to do that back then. Not to mention web, ftp, etc servers.. free! It really amazes me that people pay so much money and/or give up so much privacy to cloud services these days. Seriously, there is nothing a cloud can do today that anyone with a cable or DSL modem and a little knowledge of port forwarding couldn’t have done almost 20 years ago without all that third party BS. And… we still can today!

    Seriously, if you look forward to a future where our home internet connections enter our houses already stuck behind a NAT, if you want a future internet that is nothing but a corporate owned and controled ‘infotainment’ service then by all means, keep pushing the cloud. I guess it will be marginally more secure. Oh yay!

    1. “Seriously, there is nothing a cloud can do today that anyone with a cable or DSL modem and a little knowledge of port forwarding”

      Well… except deliver content to multiple places at high speed. Most home internet connections still have asymmetric bandwidth, so going camera -> cloud -> multiple (non-local) devices is a lot easier than camera -> multiple (non-local) devices.

      1. Well.. I do see your point there. I’m not sure that is the most common use of an ip webcam like this. There aren’t that many people with a valid reason to be accessing my own home security camera for example and my modem can handle that just fine. I do admit though, upload speed is a good reason that we would upload our videos that we want to share with the world to YouTube rather than stick them on our RasPi FTP servers.

    2. We’re not pushing cloud based services, merely stating the way it is for a significant section of the market. A lot of IoT devices rely on cloud services to work, and we’ve reported on more than one that’s abandoned a heap of customers when the cloud service gets turned off. And that’s before we get into whatever vulns may lurk in the cloud service, or talk about privacy.

      All you can say for the cloud served devices in this context is they shouldn’t have to open a port to the wider world and leave it open to all comers.

    3. @me

      I find your naive view of the world so entertaining.
      Do you work on your own car ?
      Do you cook for yourself ?
      Knowing the “little knowledge ” is far beyond most people, and they require some engineer to know this in advance.

      I also do not blame any engineer for this morass.

      Boss: Do you have that code done ?
      Eng: We are still locking down that security.
      Boss: If you want you job tomorrow, you will have this done by morning.
      Boss: Besides, no one will ever know the difference.

  5. What’s annoying about all these botnet articles is that they fail to mention the real culprit. It’s not the crummy IOT devices. It’s the idiots that created the whole UPnP mess (thank you Microsoft). Rarely do any of the news blurbs talk about this.

    1. Vanilla UPnP has a particularly big hole which allows the UPnP device to ask the firewall to open a port on behalf of another IP. Smart routers block attempts to do this, and restrict UPnP requests to only open ports for the originating device.

    2. It’s both IMO. UPnP is a mess, but a developer or manufacturer who ships a device that automatically opens a non encrypted telnet port to the outside world with a default password should be put out of business.

  6. Would micro-controller based devices be less susceptible to this kind of attack. For example a lot very simple IOT devices dont need a raspberry pi, but could be easily implemented using something like an arduino ethernet. (for the sake of argument, lets ignore the fact that the arduino ethernet costs).

    Is a microcontroller more, less, or equally at risk to be hijacked and turned into a bot?

  7. One thing I see thats is not talked about! is it that all these devices have dynamic dns on them by default and enabled by default on some devices and or the regualr user prob clicked on it and enabled it because it is there free to use. Again that’s why dyn was hacked first as with out all those dynamic address or the dns information contained in the dyn database. I think it would have been harder to locate all these devices by hacking cloud servers from the manuafacture as there is more than one and only dyn would give them all the Ip’s to port scan that default port range.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.